{"id":7616,"date":"2025-10-12T10:03:28","date_gmt":"2025-10-12T10:03:28","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/10\/12\/hackers-can-inject-malicious-code-into-antivirus-processes-to-create-a-backdoor\/"},"modified":"2025-10-12T10:03:28","modified_gmt":"2025-10-12T10:03:28","slug":"hackers-can-inject-malicious-code-into-antivirus-processes-to-create-a-backdoor","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/10\/12\/hackers-can-inject-malicious-code-into-antivirus-processes-to-create-a-backdoor\/","title":{"rendered":"Hackers Can Inject Malicious Code into Antivirus Processes to Create a Backdoor"},"content":{"rendered":"

Hackers Can Inject Malicious Code into Antivirus Processes to Create a Backdoor
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A new technique enables attackers to exploit antivirus software by injecting harmful code directly into the antivirus processes. This approach makes it easier for them to evade detection and compromise the security that antivirus software is designed to provide.<\/p>\n

This method, detailed by cybersecurity researcher Two Seven One Three on X (@TwoSevenOneT), involves cloning protected services and hijacking cryptographic providers to create a backdoor in the antivirus installation folder, bypassing standard defenses.<\/p>\n

The approach highlights a vulnerability in how antivirus solutions prioritize their own stability. By injecting code into these \u201cunkillable\u201d processes, researchers gain elevated privileges to perform actions like writing files to restricted directories, all while evading detection. <\/p>\n

As antivirus programs evolve to combat sophisticated threats, such techniques underscore the delicate balance between robust security and operational reliability.<\/p>\n

Bypassing Antivirus Defenses<\/strong><\/h2>\n

Antivirus software employs multiple strategies to shield its core processes from interference, ensuring uninterrupted protection for users.<\/p>\n

These programs typically run with SYSTEM-level privileges, granting them broad access to monitor and neutralize threats across the system.<\/p>\n

Process introspection allows the antivirus to vigilantly scan its own threads for anomalies, such as unauthorized code injections from external sources.<\/p>\n

Further safeguards include code integrity checks that verify the authenticity of loaded modules and the use of Windows\u2019 Protected Process Light (PPL) feature.<\/p>\n

This isolates user-mode processes, preventing tampering even by administrators. In the kernel, antivirus<\/a> drivers deploy sensors to block alterations to detection mechanisms, while self-protection routines automatically restart compromised components or alert on suspicious activity.<\/p>\n

Determining which processes qualify for protection is equally meticulous. Developers avoid simplistic checks like process names, which attackers could spoof by mimicking filenames.<\/p>\n

Instead, solutions like Bitdefender combine verification of the process\u2019s ImagePath, ensuring the executable resides in the correct directory, with restrictions on file writes to installation folders.<\/p>\n

Digital signatures of loaded DLLs add another layer, though attackers can attempt to bypass these through advanced evasion tactics.<\/p>\n

Modifying the Process Environment Block (PEB) or using the CreateProcess API handles proves futile, as kernel drivers monitor initialization from the outset.<\/p>\n

\n
\n
\n
\n

Anything that seems too good to be true for malware developers: executing code within #antimalware<\/a> processes.
Github: TwoSevenOneT\/IAmAntimalware#redteam<\/a> #pentest<\/a> pic.twitter.com\/kii6dpY6yQ<\/a><\/p>\n

\u2014 Two Seven One Three (@TwoSevenOneT) October 11, 2025<\/a>\n<\/p><\/blockquote>\n